Jan 09, 2024NewsroomData Security / Cyber Attack

Poorly secured Microsoft SQL (MS SQL) servers are being targeted in the U.S., European Union, and Latin American (LATAM) regions as part of an ongoing financially motivated campaign to gain initial access.

“The analyzed threat campaign appears to end in one of two ways, either the selling of ‘access’ to the compromised host, or the ultimate delivery of ransomware payloads,” Securonix researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said in a technical report shared with The Hacker News.

The campaign, linked to actors of Turkish origin, has been codenamed RE#TURGENCE by the cybersecurity firm.

Initial access to the servers entails conducting brute-force attacks, followed by the use of xp_cmdshell configuration option to run shell commands on the compromised host. This activity mirrors that of a prior campaign dubbed DB#JAMMER that came to light in September 2023.

This stage paves the way for the retrieval of a PowerShell script from a remote server that’s responsible for fetching an obfuscated Cobalt Strike beacon payload.

The post-exploitation toolkit is then used to download the AnyDesk remote desktop application from a mounted network share for accessing the machine and downloading additional tools such as Mimikatz to harvest credentials and Advanced Port Scanner to carry out reconnaissance.

Lateral movement is accomplished by means of a legitimate system administration utility called PsExec, which can execute programs on remote Windows hosts.

That attack chain, ultimately, culminates with the deployment of Mimic ransomware, a variant of which was also used in the DB#JAMMER campaign.

“The indicators as well as malicious TTPs used in the two campaigns are completely different, so there is a very high chance these are two disparate campaigns,” Kolesnikov told The Hacker News.

“More specifically, while the initial infiltration methods are similar, DB#JAMMER was slightly more sophisticated and used tunneling. RE#TURGENCE is more targeted and tends to use legitimate tools and remote monitoring and management, such as AnyDesk, in an attempt to blend in with normal activity.”

Securonix said it uncovered an operational security (OPSEC) blunder made by the threat actors that allowed it to monitor clipboard activity owing to the fact that the clipboard sharing feature of AnyDesk was enabled.

This made it possible to glean their Turkish origins and their online alias atseverse, which also corresponds to a profile on Steam and a Turkish hacking forum called SpyHack.

“Always refrain from exposing critical servers directly to the internet,” the researchers cautioned. “With the case of RE#TURGENCE attackers were directly able to brute force their way into the server from outside the main network.”

Dec 14, 2023NewsroomVulnerability / Data Breach

A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023.

“GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive information, such as user credentials,” Singapore-headquartered Group-IB said in a report shared with The Hacker News.

The group is estimated to have targeted 24 organizations in the gambling, government, retail, and travel sectors across Australia, Brazil, China, India, Indonesia, the Philippines, South Korea, and Thailand. Six of these attacks were successful.

The modus operandi of GambleForce is its exclusive reliance on open-source tools like dirsearch, sqlmap, tinyproxy, and redis-rogue-getshell at different stages of the attacks with the ultimate goal of exfiltrating sensitive information from compromised networks.

Also used by the threat actor is the legitimate post-exploitation framework known as Cobalt Strike. Interestingly, the version of the tool discovered on its attack infrastructure used commands in Chinese, although the group’s origins are far from clear.

The attack chains entail the abuse of victims’ public-facing applications of victims by exploiting SQL injections as well as the exploitation of CVE-2023-23752, a medium-severity flaw in Joomla CMS, to gain unauthorized access to a Brazilian company.

The SQL injections are accomplished by means of sqlmap, a popular open-source pentesting tool that’s designed to automate the process of identifying database servers vulnerable to SQL injections and weaponizing them to take over the systems.

In such attacks, the threat actors inject malicious SQL code into a public facing web page of the targeted website, allowing them to get around default authentication protections and access sensitive data, such as hashed and plaintext user credentials.

It’s currently not known how GambleForce leverages the stolen information. The cybersecurity firm said it also took down the adversary’s command-and-control (C2) server and notified the identified victims.

“Web injections are among the oldest and most popular attack vectors,” Nikita Rostovcev, senior threat analyst at Group-IB, said.

“And the reason being is that sometimes developers overlook the importance of input security and data validation. Insecure coding practices, incorrect database settings, and outdated software create a fertile environment for SQL injection attacks on web applications.”